In my previous post, we looked at the basis of IAM, the different IAM components and its benefits. In this article, we would be looking at how to manage access to AWS services and resources securely using AWS Identity and Access Management(IAM).
AWS Identity and Access Management
The guard of your AWS deployment is IAM. IAM in AWS helps facilitates the management of:
- IAM facilitates the management of Users(real-world user or pseudo-user) and Groups(collections of users).
- IAM setup is done once even if you have multi-region deployment as it is a global service.
- IAM supports several authentication capabilities from basic password-based authentication to integrating with an identity provider, such as your corporate Active Directory.
- IAM offers controlling access to resources via Policies. Polices are like regulations, only access stated will be granted.
- An advanced entity named Role, which is again used to manage access to AWS services is also offered by IAM. Aside from managing access to AWS serviced, Roles cannot be used to make requests to AWS services.
Now we have looked into what IAM offers in AWS deployment lets go further to see how to set up and get started with IAM
- First, create an AWS account or log in to an already existing AWS account and sign in as a root user.
- if you haven’t set up your IAM by creating an administrator IAM user and group on the account previously it is going to look this. The dashboard will start showing the progress as you finish the IAM configuration.
3. Next step is to enable access to billing data for the IAM admin user that you will create as follows:
- On the navbar, choose your account name, and then choose My Account.
- Choose Edit, next to IAM User and Role Access to Billing Information.
Note: For this section to be displayed on the account page, you must sign in as the root user.
Then, select the box to Activate IAM Access and click Update.
6. After you have done that on the navigation bar, click on Services and then IAM to return to the IAM dashboard.
7. Then on the left-hand menu, choose Users and then click Add user. Input the name box with “Administrator” and select the AWS Management Console access checkbox.
8. Next step, select the Custom password radio button and provide an initial password.
Note: By standard, when you first log in, AWS will require the new administrator to enter a new password, but if you choose to keep the initial password, uncheck the required checkbox
9. Up next is to create and add users to a group. To do that go the permissions page.
- On the Permissions page, select the Add user to group item and then click the Create group button.
- Give the new group the name “Administrators” and select the AdministratorAccess item from the list of policies.
- Click the Create group button.
- Make sure the Administrators group is selected and then press the select: Tags button.
Note: Adding tags is optional and can be beneficial for bigger organisations, but we will bypass tags for this scenario. Next: * Finally, as seen below, click the Review Button.
Note: If you chose to have more than one admin you can create an admin group for all the admins under the account. Even though there are users that could be assigned as admins some access are restricted to the root account only such as billing access unless granted to other users or groups.
Review your configuration settings to check if everything is correct, if it is, click on the Create user button to complete the process.
You can now download the credential information you just created and/or send login information to your new user
Note: This is your only chance to access this information, so closely examine your options. To revert to the Dashboard, click Close.
When creating users its a good practice to always:
- Consider all types of users both real and pseudo users.
- Use a strong password. Also if your password is generated copy it somewhere for later use.
- Only attach the necessary policies. When using groups, attach policies to groups and avoid attaching policies directly to users. Instead, assign users to the appropriate groups.
- Grant only the type of access that is needed for the user. For example, a system user does not need to have console access typically.
- Attach just the appropriate policies. Attach policies to groups by using groups and stop adding policies individually to members. Instead, delegate the required classes to the consumers.
Getting started with and setting up your IAM in your AWS is quite easy and fun to set up. You can start using the IAM users at this point. There are some good practices to consider when using IAM.
- Set up an MFA (multi-factor authentication) on the root account as an additional layer of security.
- Limit the sharing of root account credentials and lessening the use of root account.
- Limit the sharing of IAM admin user credentials and grant only required access via the IAM policies.